from ars technica

As online games grow, the need to properly secure these virtual worlds becomes more important.

Massively multiplayer online games (MMOG)s, particularly of the role-playing variety (MMORPGs), have been growing for years, and while a great deal of that growth since 2004 is solely attributable to WoW, games like Runescape, Safe WOW gold shop, and Second Life have established their own solid game bases north of 250,000 subscribers, while plenty of other games (Lord of the Rings Online, Conan, Pirates of the Burning Sea) have seen respectable if not overwhelming results of their own. (There's also some wacky game named Dofus at around 450,000 subscribers; it's both French, and Flash-based, but has still managed to garner a significant base for itself. Go figure.). As data from SirBruce's MMOGChart.com shows,the total number of active MMO subscribers has grown tremendously. 

MMOGChart, for those of you who aren't familiar with it, is probably the single best source¡ªin some cases, the only source¡ªfor consistent subscriber tracking on virtually any commercially viable MMO. The charts may be flawed, in some cases, but SirBruce acknowledges the limitations of his measurements and adjusts when necessary. 

Trends on the security side, however, are less clear, as McAfee details in a new report on online gaming, authored by Dr. Igor Muttik. While the large-scale MMOs appear to have done a good job when it comes to securing user information (and let's not get started on the fact that Blizzard can be trusted with your credit card data, but the bank can't be), the existing client/server structure of many MMOs is not secure. This is particularly true in MMOs that allow certain scripted activities to occur client-side without limiting the speed with which such actions can be repeated.

McAfee does a good job of covering the basic threats to MMORPGs but ultimately fails to delve into some of the most interesting security questions of the genre. The report mentions that certain criminal elements use games like Second Life or World of Warcraft for money laundering, but that's an issue the IRS has been aware of for years; the document sheds no additional life on how (or where) such activity has occurred, what the result was, or whether any investigations sprang from it.

Dr. Muttik instead romps through familiar territory; keyloggers and password stealers are significantly more popular in 2008 than they were in 2004, a number of existing malware variations could be (and have been) adapted to steal MMO-related passwords or other information, and there's the need for programmers to use secure sandboxes and appropriate scripting techniques in order to prevent widespread cracks
If I sound dissatisfied with McAfee's document, it's not because any of its points are wrong, but because these issues are, I think, generally well-known to any studio seriously interested in MMO development. It's no secret that game-breaking hacks can, in fact, break the game, or that information on how to perform them spreads like wildfire across a server.

Similarly, when Dr. Muttik advocates that developers consider how "technology solutions, economic measures, and human factors affect security," he's absolutely right. A number of the measures he suggests for client/server authentication, preventing in-game hacks, making virtual spamming impractical, and protecting workers under physical threat are good ones¡ªassuming, at least, that you're a Game Master from Blizzard who finds yourself threatened by a moron in a murloc costume who's brandishing a spear and gurgling at you.

One final note (and again, something not mentioned in McAfee's report), is that security practices with regard to both your personal information and your characters can and will vary considerably from MMO to MMO. This is probably not an issue for anyone playing a prominent title¡ªthere's no reason I'm aware of to think that Sony Computer Entertainment America (the corporation that owns a number of MMO titles), or Blizzard, or Funcom will lose your information or refuse to restore your characters if they themselves are lost. If you choose to play a fly-by-night game with a tiny dev team, on the other hand, the playing rules may be vastly different. That's not to say such games are inherently unsafe, but I'd stick to game cards and/or month-by-month Paypal transactions. 

As for the report, it's a decent read if you're concerned about general security issues in MMOs, the techniques modern developers have adopted to meet them, and some of the more advanced security measures that might be needed in the future. Hopefully we'll see a follow-up from McAfee at some point, with more information on how virtual crime is impacting the real world.

Update:  Several readers wrote in to point out that Blizzard is offering customers the option of a two-factor authentication system. The Blizzard Authenticator is currently sold out, but each time you log in, you enter a unique code (generated by the authenticator) as a one-time password. Anyone wanting to hack your account, in other words, must possess both the physical authenticator (a small keychain) and your standard WoW password. McAfee's report recommends this type of multi-factor authentication system, though they don't mention Blizzard specifically.